New Project Deployment Input

UCS - Univention Corporate Server
, , , ,
#1

It’s been a while since I posted and a while since I really started working with UCS. I am getting ready to setup a new deployment of UCS and I have a few questions that I was hoping the community might have some insight on.

First, what I am planning is two sites that will be public website. My intention is to use UCS for user control/management with LDAP. There are also some of the UCS apps that I thought about using. So Ill list them here as independent or UCS hosted. For reference sake well call the domain MyDOMAIN.COM

I intend for NextCloud and the Wordpress site to be accessible external from the internal network. The network for all of this is separate completely from my internal network. Access to the servers and services is only by the internet not the internal office network. The servers are on their own network that is fire walled and port mapped to Static IPs for subdomains.

Example: netcloud.MyDOMAIN.com, wp.MyDOMAIN.com something along those lines.

  • NextCloud (Independent Server from UCS)

  • Wordpress (Independent Server from UCS. I have thought about using the Wordpress app in UCS but that is a new one to me so I’m not familiar with it running on UCS.)

  • Onlyoffice Doc Server (UCS, I have not read up on the UCS version but my intention was to use it with Nextcloud if that’s possible.)

  • Mail (UCS. The UCS install will have its own domain that I would like to setup and use the mail functionality on a small scale. Mostly for internal servers and services that the public never see. It would just be for me. For reference sake well call the domain MyDOMAIN.COM)

  • UCS (Is it okay you run UCS as its own site? Am I just setting myself up for failure?)

None of these systems are mission critical this is more of personal project, however I do not want to build this project out and think it is a good idea but in reality is a very bad idea.

UCS would by my central management point for users and the email server for the MyDOMAIN.com. Would it be okay if I did have my USC install accessible from the internet? I realize that it would need some access just because I intend to use the email functionality of it. My gut tells me no, but with all that I have read it seems like this is not such a big deal, or am I just trying to rationalize a bad idea?

Thanks, in advanced for your time.

#2

Hey,

for public access I usually run one web server on a public IP that acts purely as a reverse proxy for all applications. I often use nginx, but Apache will do nicely as well. That one reverse proxy server reacts to all those sub-domains and proxies requests to them to their respective internal hosts.

That setup has several advantages, including but not limited to:

  • You limit the number of machines where you need to apply security updates a bit. For example, if there’s an update to OpenSSL it will usually suffice to apply them on the reverse proxy immediately whereas other machines can be updated a bit later (I’m not arguing that you don’t have to install the updates on the internal machines, only that it’s not that time critical).
  • It’s much easier to deploy Let’s Encrypt for automatic SSL certificate generation as you only have to configure, run and monitor it on a single system.
  • You only need a single public IP address in such a setup, even with encryption, due to SNI.
  • Changes to the internal hosts (e.g. moving an app from one machine to another) will only require an update to the proxy server configuration, but not to the public DNS entry — where you would otherwise run into the usual DNS caching issues.

All of those internal machines can run UCS or anything else, they can all use UCS’s LDAP server as an authentication source.

For other protocols (e.g. SMTP, IMAP) I usually employ port forwarding to the machine handling that service.

Edit: I usually chose a non-UCS distribution for that reverse proxy as none of UCS’ advantages are required on such a machine (e.g. you don’t need user accounts there, you won’t provide file sharing on it etc.).

Kind regards,
mosu

#3

Thanks Moritz

I think I might use Apache2 as I’m a little more familiar with its workings than nginx. :3

Currently I have a UCS:Slave with nextcloud installed on it behind a firewall and I plan on port mapping from the firewall to the proxy. I can’t see port mapping being much different from doing so with any website at this point. I’m not as familiar with it but would I be better off to use a UCS:Member as my install point for nextcloud and wordpress etc?

The nextcloud install is fresh so if needs be its not an issue to simply spin-up another server as a UCS:Member and install again. I might be over complicating things but as of now the setup would run like this:

INTERNET <—> (Firewall:PortMaped) <––> REVERSE PROXY <—> UCS:Slave(w/Nextcloud, apps etc.) <—> (Firewall:LDAPaccess:OnlyBetween-Slave-&-Master) <—> UCS:Master

As mention I am thinking of also deploying a wordpress as well. I have been reading up on for a reverse proxy once its setup and since all of my site could be hosted on one system it was be very simple.

Mastodon